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MEMORANDUM  FOR  DIRECTOR,  DEFENSE  INFORMATION  SYSTEMS 

AGENCY 

DIRECTOR,  DEFENSE  LOGISTICS  AGENCY 

SUBJECT:  Audit  Report  on  Year  2000  Computing  Issues  Related  to  the  Defense  Fuels 
Automated  Management  System  (Report  No.  99-161) 


We  are  providing  this  report  for  review  and  comment.  The  Defense  Logistics 
Agency  did  not  respond  to  the  draft  report;  however,  we  considered  comments  from  the 
Defense  Information  Systems  Agency  in  preparing  the  final  report. 

DoD  Directive  7650.3  requires  that  all  recommendations  be  resolved  promptly. 
The  Defense  Logistics  Agency  did  not  respond  to  the  draft  report  and  conunents  from  the 
Defense  Information  Systems  Agency  were  partially  responsive.  As  a  result  of 
management  comments,  we  redirected  Recommendation  1.  from  the  Defense  Logistics 
Agency  and  the  Defense  Information  Systems  Agency  to  only  the  Defense  Logistics 
Agency.  We  also  added  Recommendation  3.  Therefore,  we  request  that  the  Defense 
Information  Systems  Agency  provide  comments  on  Recommendation  3.  and  the  Defense 
Logistics  Agency  provide  comments  on  Recommendations  1.,  2.,  and  3.  by 
June  17,  1999. 

We  appreciate  the  courtesies  extended  to  the  audit  staff.  Questions  on  the  audit 
should  be  directed  to  Mr.  Robert  M.  Murrell  at  (703)  604-9210  (DSN  664-9210),  email 
<rmurrell@dodig.osd.mil>,  or  Mr.  Joseph  M.  Austin  at  (703)  604-9178  (DSN  664-9178), 
email  <jaustin@dodig.osd.mil>.  See  Appendix  B  for  the  report  distribution.  The  audit 
team  members  are  listed  inside  the  back  cover. 

Robert  J.  Lieberman 
Assistant  Inspector  General 
for  Auditing 
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Report  No.  99-161 

(Project  No.  9LB-9006) 


May  17, 1999 


Year  2000  Computing  Issues  Related 
to  the  Defense  Fuels  Automated  Management  System 

Executive  Summary 


Introduction.  This  is  one  in  a  series  of  reports  being  issued  by  the  Inspector  General, 
DoD,  in  accordance  with  an  informal  partnership  with  the  Chief  Information  Officer,  DoD, 
to  monitor  DoD  efforts  to  address  the  year  2000  computing  challenge.  For  a  listing  of 
audit  projects  addressing  the  issue,  see  the  year  2000  webpage  on  the  IGnet  at 
http;//www.  ignet.gov. 

The  Defense  Energy  Support  Center,  a  Defense  Logistics  Agency  activity,  is  the  central 
manager  for  the  acquisition,  storage,  distribution,  and  sale  of  energy  products  within  DoD. 
This  includes  the  management  of  electricity  and  foel  products  such  as  coal,  natural  gas, 
and  petroleum.  The  Defense  Energy  Support  Center  uses  the  mission-critical  Defense 
Fuels  Automated  Management  System  (DFAMS)  to  manage  the  various  fuel  products. 

The  Defense  Logistics  Agency  did  not  meet  the  DoD  year  2000  target  date  of 
December  31,  1998,  for  implementing  corrective  actions  to  DFAMS.  Defense  Logistics 
Agency  planning  officials  estimated  that  the  DFAMS  year  2000  corrective  actions  will  be 
implemented  by  May  1999. 

Objectives.  The  overall  audit  objective  was  to  determine  whether  DFAMS  would 
operate  after  the  year  2000.  Specifically,  the  audit  focused  on  year  2000  risk  assessments, 
testing,  and  contingency  plans  related  to  DFAMS. 

Results.  Renovated  DFAMS  programs  had  been  tested  on  a  domain  that  was  not  year 
2000  compliant.  The  Defense  Energy  Support  Center  had  not  developed  contingency 
plans  that  identified  methods  for  conducting  operations  in  the  event  DFAMS  suffered  a 
year  2000  disruption.  As  a  result,  test  results  may  not  reflect  DFAMS  actual  year  2000 
performance.  Incomplete  contingency  plans  could  lengthen  the  time  that  would  elapse 
before  business  operations  could  resume  if  year  2000-related  disruptions  occur  in  DFAMS 
computer  operations.  See  Finding  section  of  report  for  details  on  the  audit  results. 


Summary  of  Recommendations.  We  recommend  that  the  Director,  Defense  Logistics 
Agency  assess  the  risk  associated  with  testing  the  renovated  DFAMS  programs  on  a  test 
domdn  that  was  not  year  2000  compliant  and  determine  the  need  for  retesting  and 
develop  operational  contingency  plans.  Additionally,  we  recommend  that  the  Director, 
Defense  Logistics  Agency,  in  conjunction  with  the  Director,  Defense  Information  Systems 
Agency,  ensure  that  the  test  domain  is  year  2000  compliant  before  the  certification  of 
DFAMS  as  year  2000  compliant. 

Management  Comments.  The  Director,  Defense  Information  Systems  Agency 
nonconcurred  with  the  recommendation  that  the  Director,  Defense  Logistics  Agency,  in 
conjunction  with  the  Director,  Defense  Information  Systems  Agency,  assess  the  risks 
associated  with  testing  the  renovated  DFAMS  programs  on  a  test  domain  that  was  not 
year  2000  compliant.  The  Defense  Information  Systems  Agency  stated  that  it  is  the 
customer’s  responsibility  to  assess  the  risk  of  testing  applications  on  a  domain  that  is  not 
year  2000  compliant.  The  Defense  Information  Systems  Agency  also  stated  that  the  DoD 
Year  2000  Management  Plan  does  not  specify  that  an  application  be  tested  in  a  year  2000 
compliant  environment.  The  Defense  Logistics  Agency  did  not  comment  on  the  draft  of 
this  report.  A  discussion  of  management  comments  is  in  the  Finding  section  of  the  report 
and  the  complete  text  is  in  the  Management  Comments  section. 

Audit  Response.  Comments  from  the  Defense  Information  Systems  Agency  are  partially 
responsive.  We  do  not  agree  with  the  Defense  Information  Systems  Agency  assessment 
that  the  DoD  Year  2000  Management  Plan  does  not  require  that  applications  be  tested  in 
a  year  2000  compliant  environment.  The  DoD  Management  Plan  states  that,  in  order  for  a 
system  to  meet  the  minimum  exit  criteria  for  the  validation  phase,  the  system,  among  other 
things,  must  be  tested  on  a  compliant  domain  and  in  an  operationally  compliant 
environment.  We  agree  with  the  Defense  Information  Systems  Agency  that  it  is  the 
customer’s  responsibility  to  assess  the  risk  of  testing  applications  on  a  domain  that  is  not 
year  2000  compliant.  As  a  result  of  comments  from  the  Defense  Information  Systems 
Agency,  we  redirected  the  recommendation  from  the  Defense  Logistics  Agency  and  the 
Defense  Information  System  Agency  to  only  the  Defense  Logistics  Agency  We  request 
that  the  Defense  Information  Systems  Agency  and  the  Defense  Logistics  Agency 
provide  comments  on  the  final  report  by  June  17, 1999. 
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Background 


Defense  Fuels  Automated  Management  System.  The  Defense  Energy 
Support  Center  (DESC),  a  Defense  Logistics  Agency  (DLA)  activity,  is  the 
central  manager  for  the  acquisition,  storage,  distribution,  and  sale  of  energy 
products  witlun  DoD.  It  manages  electricity  and  fuel  products  such  as  coal, 
natural  gas,  and  petroleum.  DESC  uses  the  Defense  Fuels  Automated 
Management  System  (DFAMS)  to  manage  the  various  fuel  products.  DFAMS  is 
a  DLA  mission-critical  standard  automated  information  system  that  provides  an 
integrated  tool  for  the  procurement,  inventory  control,  distribution,  and  financial 
management  that  support  the  material  management  of  bulk  fuel  and  petroleum 
products.  The  system  is  used  to  process  about  $5  billion  a  year  in  fuel  payments. 
DFAMS  was  ranked  10th  in  priority  among  33  DLA  mission-critical  systems. 
The  ranking  was  based  on  the  importance  of  DFAMS  to  readiness,  customer 
serwce,  and  personnel  and  environmental  safety  and  its  impact  on  other  systems. 
The  Fuels  Automated  System  was  slated  to  replace  DFAMS  in  FY  2000. 
However,  because  implementation  of  the  Fuels  Automated  System  fell  behind 
schedule,  a  decision  was  made  in  November  1997  to  renovate  DFAMS  to  make 
it  year  2000  (Y2K)  compliant.  About  $3  million  is  being  expended  to  renovate 
DFAMS. 

DLA  Y2K  Management  Strategy.  The  DLA  approach  for  fixing  Y2K 
problems  calls  for  centralized  management  and  decentralized  implementation. 
The  Director,  DLA  has  overall  responsibility  for  ensuring  continued  DLA 
mission  capability.  The  Chief  Information  Officer,  DLA  is  responsible  for  the 
planning,  management,  and  execution  of  the  DLA  Y2K  Program. 

DLA  Systems  Design  Center.  The  DLA  Systems  Design  Center  (DSDC)  is  the 
DLA  central  design  activity  responsible  for  addressing  and  resolving  hardware 
and  software  related  problems  associated  with  Y2K  compliance  of  DLA 
automated  systems.  DSDC  has  been  tasked  to  lead  the  development  of 
automation  support  necessary  to  make  DFAMS  hardware  and  software  Y2K 
compliant. 

Defense  Logistics  Support  Command.  As  a  major  subordinate  command  of 
DLA,  the  Defense  Logistics  Support  Command  (DLSC)  provides  centralized 
logistics  support  to  the  Military  Departments  as  well  as  Federal  civil  agencies 
and  foreign  governments.  Such  support  includes  everything  from  erecting  a 
defense  reutilization  and  marketing  fonction  at  the  mission  site,  to  arranging  fuel 
support  in-country  to  supply  a  multinational  mission.  DLSC  is  responsible  for 
five  inventory  control  points,  one  of  which  is  DESC. 
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Defense  Information  Systems  Agency.  The  Defense  Information  Systems 
Agency  ^ISA)  is  the  central  manager  for  major  portions  of  the  Defense 
Iirformation  Infrastructure.  DISA  is  responsible  for  planning,  developing  and 
supporting  command,  control,  communications,  computers,  and  intelligence 
operations  functions.  In  that  capacity,  DISA  provides  support  to  the  DoD  Chief 
Information  Officer  in  executing  Y2K  initiatives,  which  includes  maintenance  of 
a  list  of  tools  to  assist  in  resolving  Y2K  problems  and  a  list  of  all  commercial 
off-the-shelf  products  and  their  status  as  to  Y2K  compliance.  DISA  is  also 
responsible  for  operating  16  computer  processing  activities  referred  to  as 
megacenters. 


Objectives 


The  overall  audit  objective  was  to  determine  whether  DFAMS  would  operate 
after  the  year  2000.  Specifically,  the  audit  focused  on  Y2K  risk  assessments, 
testing,  and  contingency  plans  related  to  DFAMS.  See  Appendix  A  for  a 
discussion  of  the  scope  and  methodology  and  for  a  summary  of  prior  coverage. 
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Renovation  of  Defense  Fuels  Automated 
Management  System 

Renovated  DFAMS  programs  had  been  tested  on  a  test  domain  that  was 
not  Y2K  compliant.  In  addition,  DESC  had  not  developed  operational 
contingency  plans  that  identified  methods  for  conducting  operations  in  the 
event  DFi^S  suffered  a  Y2K  disruption.  The  conditions  existed  because 
the  DLA  Y2K  Program  Office  did  not  provide  sufficient  oversight  of  the 
DFAMS  renovation.  As  a  result,  test  results  may  not  reflect  DFAMS 
actual  year  2000  performance.  Incomplete  contingency  plans  could 
lengthen  the  time  that  would  elapse  before  business  operations  could 
resume  if  Y2K-related  disruptions  occur  in  DFAMS  computer  operations 


Management  of  DLA  Y2K  Program 

DLA  established  a  Y2K  program  and  took  positive  actions  to  resolve  its  Y2K 
problem.  Specifically,  DLA  established  a  Y2K  program  management  office, 
assigning  the  Chief  Information  Officer,  DLA,  as  the  focal  point  to  plan,  manage, 
and  execute  the  DLA  Y2K  program.  The  DLA  Y2K  Program  Office  provides 
direct  oversight  of  DLA  Y2K  efforts  and  reports  to  the  Chief  Information  Officer, 
DLA. 

In  addition  to  the  responsibilities  of  the  Chief  Information  Officer,  DLA,  DSDC 
addresses  and  resolves  hardware  and  software  related  problems  associated  with 
Y2K  compliance  for  DLA  automated  systems.  DSDC  is  tasked  to  lead  the 
development  of  necessary  automation  support  to  make  DFAMS  Y2K  compliant. 

DLA  Y2K  Management  Plan.  The  DLA  Y2K  Management  Plan,  version  1.3, 
November  1998,  and  the  Defense  Logistics  Supply  Command  (DLSC) 
Management  Plan,  version  3.0,  October  1998,  provide  the  management  approach 
for  implementing  the  Y2K  program’s  goals  and  objectives.  The  overall  approach 
is  derived  from  the  five-phase  DoD  Management  Plan.  The  DLA  plans  apply  to  all 
DLA  organizations  involved  in  the  acquisition,  development,  maintenance,  and  use 
of  automated  data  processing  equipment  and  software. 

Status  of  DFAMS.  DFAMS  is  being  renovated  to  make  it  Y2K  compliant.  The 
DESC  initial  Y2K  plan  was  to  replace  DFAMS  with  the  Fuels  Automated  System, 
a  contractor,  off-the-shelf  package.  However,  because  of  a  4-month  to  5-month 
slippage  in  fielding  the  Fuels  Automated  System,  a  decision  was  made  in 
November  1997  to  renovate  DFAMS.  The  slippage  in  fielding  the  Fuels 
Automated  System  was  caused  by  a  late  vendor  delivery  of  acceptable  products. 
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DoD,  DLA,  and  DLSC  guidance  required  system  implementation  to  be  completed 
by  December  31,  1998.  However,  DSDC  planning  officials  did  not  expect 
DFAMS  implementation  to  be  accomplished  until  May  1999. 


DFAMS  Testing 

The  overall  Y2K  test  and  certification  process  followed  by  DLA  and  the  Y2K 
management  process  followed  by  DISA  might  not  provide  adequate  assurance  or 
support  for  DLA  to  certify  that  DFAMS  is  Y2K  compliant.  Although  DLA 
implemented  a  Y2K  program  for  DFAMS  and  was  performing  testing  as  the 
system  was  being  renovated,  portions  of  the  DFAMS  programs  were  renovated 
and  tested  on  a  test  domain  that  was  not  Y2K  compliant.  We  attribute  this  to  a 
lack  of  oversight  and  coordination  with  DISA  to  ensure  that  testing  was  done  on  a 
Y2K  compliant  domain.  Also,  the  DFAMS  production  domain  that  was  scheduled 
to  be  Y2K  compliant  in  May  1999  may  not  be  Y2K  compliant,  because  portions  of 
the  DFAMS  programs  were  tested  on  a  domain  that  was  not  Y2K  compliant. 

Test  Domain.  The  August  18,  1998,  DFAMS  test  plan  cites  the  test  criteria  and 
strategies  to  be  followed  for  DFAMS  to  become  Y2K  compliant.  Functional  test 
of  DFAMS  was  scheduled  for  May  1999.  Although  DFAMS  programs  are  tested 
as  they  are  renovated,  programs  that  were  renovated  were  tested  on  a  test  domain 
that  was  not  Y2K  compliant.  As  of  January  1999,  the  DFAMS  progress  report 
showed  that  about  80  percent  of  the  lines  of  code  and  83  percent  of  the  programs 
had  been  renovated  and  tested.  There  was  no  plan  to  retest  those  programs.  The 
DoD  Management  Plan  requires  that  a  system  be  tested  on  a  compliant  domain  in 
an  operationally  compliant  environment  as  a  means  to  exit  the  validation  phase. 
Because  renovated  DFAMS  programs  were  not  tested  in  a  Y2K  compliant 
domain,  DLA  should  perform  a  risk  assessment,  in  conjunction  with  DISA,  before 
certifying  DFAMS  as  Y2K  compliant. 

Production  Domain.  DFAMS  production  domain  was  scheduled  to  be  Y2K 
compliant  by  May  30,  1999,  at  the  time  when  DFAMS  was  to  be  completely 
renovated  and  tested.  However,  because  the  DFAMS  programs  were  tested  on  a 
test  domain  that  was  not  Y2K  compliant,  the  production  domain  may  not  be  Y2K 
compliant. 

£nd-to-End  Testing.  DFAMS  will  not  be  involved  in  end-to-end  testing  because 
renovation  will  not  be  completed  by  the  time  the  end-to-end  testing  is  set  to  begin. 
Also,  DFAMS  will  not  be  included  in  Y2K  end-to-end  testing  because  it  did  not 
meet  the  criteria  for  end-to-end  testing  set  forth  by  the  logistics  Y2K  Interface 
Assessment  Working  Group  in  a  January  1999  conference. 
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Development  of  Operational  Contingency  Plans 


DESC  had  not  developed  operational  contingency  plans.  The  DESC  draft  Y2K 
Business  Continuity  and  Contingency  Plan,  November  1998,  did  not  include 
operational  contingency  plans  that  addressed  alternative  work  processes  for 
maintaining  the  continuity  of  DFAMS  business  functions. 

Purpose  of  Operational  Contingency  Plans.  Operational  contingency  plans 
provide  detailed  workaround  procedures  to  be  employed  should  critical  systems 
fail  because  of  Y2K  or  interoperability  problems. 

DoD  Year  2000  Management  Plan,  Version  2.0,  December  1998.  The  DoD 
Year  2000  Management  Plan  (DoD  Management  Plan)  states  that  contingency 
plans  are  required  for  all  mission-critical  systems,  systems  that  were  not  Y2K 
compliant  by  March  1 999,  and  any  system  2  months  or  more  behind  schedule.  The 
DoD  Management  Plan  states  that  realistic  contingency  plans  are  to  be  established 
for  each  system  during  the  assessment  phase  and  should  address  the  development 
and  activation  of  manual  procedures  or  alternative  contracted  methods  that  ensure 
continuity  of  core  processes. 

DESC  Core  Business  Functions.  Four  of  the  DESC  core  business  functions  rely 
on  DFAMS  to  ensure  that  the  DESC  business  processes  continue  uninterrupted. 
The  DESC  Business  Continuity  and  Contingency  Plan  identifies  four  DESC  core 
business  processes:  acquisition  management,  asset  management,  facilities 
management,  and  financial  management.  DESC  Components  had  been  tasked  to 
develop  operational  contingency  plans  for  those  DESC  core  business  processes. 

Operational  Contingency  Plans.  DESC  Components  had  not  developed 
operational  contingency  plans  for  subsystems  that  supported  the  core  business 
processes.  For  example,  within  the  financial  management  core  business  process, 
operational  contingency  plans  had  not  been  developed  for  a  critical  DFAJMS 
subsystem,  the  Automated  Voucher  Examination  and  Disbursement  System.  We 
attribute  the  condition  to  a  lack  of  sufficient  oversight  of  the  DFAMS  renovation. 

The  DESC  Director  of  Information  Systems  identified  the  Automated  Voucher 
Examination  and  Disbursement  System  as  the  most  critical  DFAMS  subsystem. 

The  Defense  Finance  and  Accounting  Service  receives  contractor  bills  and  utilizes 
the  Automated  Voucher  Examination  and  Disbursement  System  to  process  vendor 
payments.  If  DFAMS  suffers  Y2K  disruptions,  then  the  Defense  Finance  and 
Accounting  Service  may  be  unable  to  process  contractor  requests  for  payment, 
which  could  result  in  the  refusal  of  vendors  to  deliver  fuel.  Furthermore,  DESC 
could  incur  interest  payments  for  violating  the  Prompt  Payment  Act,  because  of 
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late  payment  of  vendors  bills.  DESC  estimated  those  bills  at  $30  million  per 
month.  In  addition,  DESC  could  possibly  be  unable  to  establish  contracts  and 
manage  the  inventory,  leading  to  storage  and  transportation  problems. 

Completion  of  Operational  Contingency  Plans.  DLSC  planning  officials 
expected  operational  contingency  plans  to  be  developed  by  March  1999,  as 
required  by  the  DoD  Management  Plan.  As  of  the  end  of  Januaiy  1 999, 
management  did  not  have  drafts  of  operational  contingency  plans.  Because  of  the 
questionable  status  of  the  DFAMS  renovation,  the  development  of  operational 
contingency  plans  needs  to  be  accomplished.  Incomplete  contingency  plans  could 
lengthen  the  time  that  would  elapse  before  business  operations  could  resume  if 
Y2K-related  disruptions  occur  in  DFAMS  computer  operations. 


Summary 

Because  DFAMS  will  not  be  included  in  end-to-end  testing  but  will  interface  with 
the  Defense  Finance  and  Accounting  Service,  it  is  imperative  that  all  DFAMS 
programs  are  tested  in  a  Y2K  domain  that  is  Y2K  compliant.  The  problems  that 
would  occur  if  DFAMS  does  not  function  include  the  inability  to  establish 
contracts,  perform  billing  and  payment  functions,  and  manage  the  inventory.  In 
addition,  there  is  the  potential  for  large  late  payment  penalties,  missed  payment 
discounts,  incorrect  inventories  leading  to  storage  and  transportation  problems, 
and  loss  of  inventory.  Extraordinary  manual  efforts  by  DESC  and  the  Defense 
Finance  and  Accounting  Service  would  be  required  to  accomplish  day-to-day 
mission  support  functions.  A  Y2K  failure,  therefore,  would  result  in  serious 
mission  and  financial  impacts  on  DLA,  DESC,  the  Defense  Finance  and 
Accounting  Service,  and  the  Military  Components  that  depend  on  DESC  for  their 
fuel  requirements 


Recommendations,  Management  Comments,  and  Audit 
Response 


Redirected  and  Added  Recommendations.  As  a  result  of  comments  from  the 
Defense  Information  Systems  Agency,  we  redirected  Recommendation  1.  from 
both  the  Defense  Logistics  Agency  and  the  Defense  Information  Systems  Agency 
to  only  the  Defense  Logistics  Agency  and  added  Recommendation  3. 

1.  We  recommend  that  the  Director,  Defense  Logistics  Agency  assess  the  risk 
associated  with  testing  the  renovated  Defense  Fuels  Automated  Management 
System  programs  on  a  non-year  2000  compliant  test  domain.  Based  on  the 
results  of  the  risk  analysis,  determine  the  need  to  retest  Defense  Fuels 
Automated  Management  System  programs. 
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DLA  Comments.  DLA  did  not  comment  on  a  draft  of  this  report.  We  request 
that  DLA  comment  on  the  final  report. 

DISA  Comments.  DISA  nonconcurred,  stating  that  it  is  the  customer’s 
responsibility  to  assess  the  risk  of  testing  applications  on  a  domain  that  is  not  Y2K 
compliant.  DISA  stated  that  it  is  responsive  to  its  customers  requests  to  establish 
Y2K  test  domains  and  that  the  baselines  of  the  domains  are  Y2K  compliant. 
Additionally,  DISA  stated  that  it  abides  by  the  standards  set  in  the  DoD 
Management  Plan,  which  does  not  specify  that  an  application  be  tested  in  a  Y2K 
compliant  environment.  Further,  DISA  stated  that  it  continues  to  respect  the 
complete  authority  that  its  customers  have  over  their  applications  and  would 
encourage  DLA  to  assess  the  risk  of  testing  its  applications  in  a  non-Y2K 
compliant  domain. 

Audit  Response.  The  DISA  comments  are  partially  responsive.  We  agree  that 
DLA  is  responsible  for  assessing  any  risks  associated  v^th  testing  on  a  domain  that 
is  not  Y2K  compliant  and  redirected  this  recommendation  to  only  DLA.  We  do 
not  agree  with  the  DISA  assessment  that  there  is  no  requirement  to  test 
applications  in  a  Y2K  compliant  environment.  The  Dot)  Management  Plan  states 
that,  in  order  for  a  system  to  meet  the  minimum  exit  criteria  for  the  validation 
phase,  the  system,  among  other  things,  must  be  tested  on  a  compliant  domain  and 
in  an  operationally  compliant  environment.  The  DoD  Management  Plan  also  states 
that  a  waiver  must  be  obtained  for  a  system  that  will  not  be  validated  in  a 
compliant  environment  by  January  31,  1999.  At  the  time  of  our  audit,  about  80 
percent  of  DFAMS  had  been  renovated  and  tested  on  a  domain  in  which  9  of  the 
107  applications  were  not  Y2K  compliant.  Waivers  had  not  been  obtained  for  the 
nine  noncompliant  applications.  We  added  Recommendation  3.  to  address  that 
issue. 

2.  We  recommend  that  the  Director,  Defense  Logistics  Agency  develop 
operational  contingency  plans  for  the  Defense  Fuels  Automated  Management 
System. 

DLA  Comments.  DLA  did  not  comment  on  a  draft  of  this  report.  We  request 
that  DLA  comment  on  the  final  report. 

3.  We  recommend  that  the  Director,  Defense  Logistics  Agency,  in 
conjunction  with  the  Director,  Defense  Information  Systems  Agency,  ensure 
that  the  test  domain  is  year  2000  compliant  before  the  certification  of  the 
Defense  Fuels  Automated  Management  System  as  year  2000  compliant. 
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Appendix  A.  Audit  Process 


This  is  one  in  a  series  of  reports  being  issued  by  the  Inspector  General,  DoD,  in 
accordance  with  an  informal  partnership  with  the  Chief  Information  Officer,  DoD, 
to  monitor  DoD  efforts  to  address  the  Y2K  computing  challenge. 


Scope  and  Methodology 

Work  Performed.  We  reviewed  documented  efforts  made  by  Headquarters, 

DLA;  DLSC;  and  DESC  from  September  1997  through  February  1999  to  ensure 
that  the  operation  of  DFAMS  would  not  be  unduly  disrupted  by  Y2K  problems. 
We  also  reviewed  DoD,  DLA,  and  DLSC  Y2K  Management  Plans  and  obtained 
and  reviewed  DoD  and  DLA  policy  guidance  on  Y2K  program  management  and 
reporting.  We  interviewed  key  personnel  from  the  organizations  that  were 
responsible  for  management  of  ffiel  systems  to  determine  the  status  of  DFAMS 
renovation. 

We  determined  whether  adequate  progress  was  being  made  to  make  DFAMS  Y2K 
compliant.  We  obtained  documentation  on  system  inventory  status,  interface 
agreements,  contingency  plans,  and  other  pertinent  documents.  We  used  the 
iifformation  from  interviews  and  documents  to  assess  efforts  related  to  making 
DFAMS  Y2K  compliant.  Data  reviewed  were  current  as  of  February  1999. 

DoD-Wide  Corporate  Level  Goals.  In  response  to  the  Government  Performance 
and  Results  Act,  the  DoD  has  established  6  DoD-wide  corporate-level 
performance  objectives  and  14  goals  for  meeting  the  objectives.  This  report 
pertains  to  achievement  of  the  following  objective  and  goal 

Objective:  Prepare  now  for  an  uncertain  future. 

Goal:  Pursue  a  focused  modernization  effort  that  maintains  United  States 
qualitative  superiority  in  key  war  fighting  capabilities.  (DoD-3) 
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DoD  Functional  Area  Reform  Goals.  Most  major  DoD  functional  areas  have 
also  established  performance  improvement  reform  objectives  and  goals.  This 
report  pertains  to  achievement  of  the  following  objectives  and  goals,  in  the 
Information  Technology  Management  Functional  Area. 

•  Objective:  Become  a  mission  partner. 

Goal:  Serve  mission  information  users  as  customers  (ITM-1.2) 

•  Objective:  Provide  services  that  satisfy  customer  information  needs. 
Goal:  Modernize  and  integrate  Defense  information  infrastructure. 
(n'M-2.2) 

•  Objective:  Provide  services  that  satisfy  customer  information  needs. 
Goal:  Upgrade  technology  base.  (ITM-2.3) 

High-Risk  Area.  In  its  identification  of  risk  areas,  the  General  Accounting  Office 
has  specifically  designated  risk  in  resolution  of  the  Y2K  problem  as  high.  This 
report  provides  coverage  of  that  problem  and  of  the  overall  Information 
Management  and  Technology  high-risk  area. 

Audit  Type,  Dates,  and  Standards.  We  performed  this  program  audit  from 
November  1998  through  February  1999  in  accordance  with  auditing  standards 
issued  by  the  Comptroller  General  of  the  United  States,  as  implemented  by  the 
Inspector  General,  DoD.  We  did  not  use  computer-processed  data  for  this  audit. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD.  Further  details  are  available  upon  request. 

Management  Control  Program.  We  did  not  review  the  management  control 
program  related  to  the  overall  audit  objective  because  DoD  recognized  the  Y2K 
issue  as  a  material  management  control  weakness  area  in  the  FY  1998  Annual 
Statement  of  Assurance. 


Summary  of  Prior  Coverage 

The  General  Accounting  Office  and  the  Inspector  General,  DoD,  have  conducted 
multiple  reviews  related  to  Y2K  issues.  General  Accounting  Office  reports  can  be 
accessed  over  the  Internet  at  http://www.gao.gov.  Inspector  General,  DoD, 
reports  can  be  accessed  over  the  Internet  at  http://wAvw.dodig.osd.mil.  The 
following  reports  address  issues  that  are  discussed  in  this  report. 
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General  Accounting  Office 


General  Accounting  Office  Report  No.  GAO/AIMD-97-106  (OSD  Case 
No.  1389),  “Defense  Computers;  Issues  Confronting  the  Defense  Logistics 
Agency  in  Addressing  Year  2000  Problems,”  August  12,  1997. 


Inspector  General,  DoD 


Inspector  General,  DoD,  Report  No.  99-100,  “Year  2000  Computing  Issues; 
Defense  Logistics  Agency  Distribution  Standard  System,”  March  2,  1999. 

Inspector  General,  DoD,  Report  No.  98-193,  “Evaluation  of  the  Defense 
Megacenters  Year  2000  Program,”  August  25,  1998. 
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Appendix  B.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acquisition  and  Technology 
Deputy  Under  Secretary  of  Defense  (Logistics) 

Director,  Defense  Logistics  Studies  Information  Exchange 
Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
Deputy  Chief  Information  Officer  and  Deputy  Assistant  Secretary  of  Defense  (Chief 
Information  Officer  Policy  and  Implementation) 

Principal  Director  for  Year  2000 
Assistant  Secretary  of  Defense  (Public  Affairs) 


Joint  Staff 


Director,  Joint  Staff 


Department  of  the  Army 


Auditor  General,  Department  of  the  Army 
Chief  Information  Officer,  Army 
Inspector  General,  Department  of  the  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 

Auditor  General,  Department  of  the  Navy 

Chief  Information  Officer,  Navy 

Inspector  General,  Department  of  the  Navy 

Inspector  General,  Marine  Corps 
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Department  of  the  Air  Force 


Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 
Chief  Information  Officer,  Air  Force 
Inspector  General,  Department  of  the  Air  Force 


Other  Defense  Organizations 

Director,  Defense  Information  Systems  Agency 

Inspector  General,  Defense  Information  Systems  Agency 
Chief  Information  Officer,  Defense  Information  Systems  Agency 
United  Kingdom  Liaison  Office,  Defense  Information  Systems  Agency 
Director,  Defense  Logistics  Agency 
Director,  National  Security  Agency 

Inspector  General,  National  Security  Agency 
Inspector  General,  Defense  Intelligence  Agency 
Inspector  General,  National  Imagery  and  Mapping  Agency 
Inspector  General,  National  Reconnaissance  Office 


Non-Defense  Federal  Organizations  and  Individuals 


Office  of  Management  and  Budget 

Office  of  Information  and  Regulatory  Affairs 
General  Accounting  Office 

National  Security  and  International  Affairs  Division 
Technical  Information  Center 
Accounting  and  Information  Management  Division 

Director,  Defense  Information  and  Financial  Management  Systems 
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Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 


Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 

Senate  Committee  on  Armed  Services 

Senate  Committee  on  Governmental  Affairs 

Senate  Special  Committee  on  the  Year  2000  Technology  Problem 

House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Management,  Information,  and  Technology, 
Committee  on  Government  Reform 

House  Subcommittee  on  National  Security,  Veterans  Affairs,  and  International 
Relations,  Committee  on  Government  Reform 
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Defense  Information  Systems  Agency  Comments 


Inspector  General  (IG)  12  APRIL  1999 


ME140RAND0M  FOR  INSPECTOR  GENERAL,  DEPARTMENT  OF  DEFENSE 
(ATTN:  READINESS  AND  LOGISTICS  SUPPORT 
DIRECTORATE) 

SUBJECT!  Response  to  DoD  IG  Draft  Report,  Year  2000  Computing 
Issues  Related  to  the  Defense  Fuels  Automated 
Management  System  <0FAMS)  (Project  9I.B-90C6) 


1.  The  following  is  the  Agency's  response  to  the  subject  reports 
Recommendation  #  1: 

ve  recommend  that  the  Director,  Defense  Logistics  Agency,  in 
conjunction  with  the  Director,  Defense  Information  Systems 
Agency,  assess  the  risk  associated  with  testing  the  renovated 
Defense  Fuels  Automated  Management  System  programs  on  a  non-Y2K 
compliant  test  domain.  Based  on  the  results  of  the  risk 
analysis,  determine  the  need  to  retest  Defense  Fuels  Automated 
Management  System  programs. 

DXSA  Response: 

Respectfully  non-concur  with  the  following  comments.' 

As  part  of  the  domsin  validation  process,  DXSA  determines 
hardware  compliancy.  Executive  software  and  third  party 
product  compliancy  Is  determined  jointly  by  DI5A  and  Its 
customers.  In  determining  application  compliancy  and 
certification,  di$a  relies  on  the  statements  made  by  the  central 
Design  Activities  or  functional  user  community.  .Accountability 
for  application  re -mediation  is  with  the  application  owners. 

DISA  is  wholly  responsive  to  its  customers  requests  to  establish 
Y2K  test  domains.  The  baseline  of  these  domains  are  Y2K 
compliant,  but  DISA  cannot  affect  what  the  customer  does  to  the 
domain  after  it  is  turned  over  to  them.  Additionally,  DISA  ' 
abides  by  the  standards  set  In  the  Department  of  Defense  Y2K 
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Management  Plan,  these  standards  do  not  specify  that  an 
application  be  tested  in  &  Y2K  conpilant  environment. 

OISA  continues  to  respect  the  complete  authority  that  our 
customers  heve  over  their  applications  and  would  encourage  ox,a 
to  assess  the  rlsit  o£  testing  its  application  in  a  non-Y2K 
compliant  domain.  In  the  event  DIA  chooses  to  pursue  this  t«- 
asses&ment/  dISa  would  participate  when  and  where  OLA  felt  it 
appropriate . 


2.  If  you  have  any  questions,  please  call  Jason  Bakker,  Audit 
Liaison,  at  C'303) 


f 


RICHARP  T.  RACE 
Inspector  General 
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Audit  Team  Members 


The  Readiness  and  Logistics  Support  Directorate,  Office  of  the  Assistant 
Inspector  General,  DoD,  prepared  this  report. 

Shelton  R.  Young 
Raymond  D.  Kidd 
Robert  M.  Murrell 
Joseph  M.  Austin 
Bernard  M.  Baranosky 
Marc  E.  Avers 
Douglas  P.  Ickes 
Dan  P.  Convis 


